unwanted traffic and information disclosure in voip...

Unwanted Traffic andInformation Disclosure in VoIP NetworksThreats and Countermeasures

Ge Zhang

Dissertation | Karlstad University studies | 2012:28

Computer science

Faculty of economic sciences, Communication and it

DISSERTATION | Karlstad University Studies | 2012:28

Unwanted Traffic and Information Disclosure in VoIP NetworksThreats and Countermeasures

Ge Zhang

Distribution:Karlstad University Faculty of Economic Sciences, Communication and ITComputer ScienceSE-651 88 Karlstad, Sweden+46 54 700 10 00

© The author

ISBN 978-91-7063-432-1

Print: Universitetstryckeriet, Karlstad 2012

ISSN 1403-8099

Karlstad University Studies | 2012:28

DISSERTATION

Ge Zhang

Unwanted Traffic and Information Disclosure in VoIP Networks - Threats and Countermeasures

WWW.KAU.SE

“Know your enemy, know yourself and you canfight a hundred battles without disaster...”

“Thus, what is of supreme importance in waris to attack the enemy’s strategy....”

The Art of WarSun Tzu

Unwanted Traffic and Information Disclosure in VoIPNetworksThreats and countermeasures

GE ZHANGDepartment of Computer Science, Karlstad University

AbstractThe success of the Internet has brought significant changes to the telecommunication in-dustry. One of the remarkable outcomes of this evolution is Voice over IP (VoIP), whichenables realtime voice communications over packet switched networks for a lower cost thantraditional public switched telephone networks (PSTN). Nevertheless, security and privacyvulnerabilities pose a significant challenge to hindering VoIP from being widely deployed.The main object of this thesis is to define and elaborate unexplored security & privacy riskson standardized VoIP protocols and their implementations as well as to develop suitablecountermeasures. Three research questions are addressed to achieve this objective:

• Question 1: What are potential unexplored threats in a SIP VoIP network withregard to availability, confidentiality and privacy by means of unwanted traffic andinformation disclosure?

• Question 2: How far are existing security and privacy mechanisms sufficient tocounteract these threats and what are their shortcomings?

• Question 3: How can new countermeasures be designed for minimizing or prevent-ing the consequences caused by these threats efficiently in practice?

Part I of the thesis concentrates on the threats caused by “unwanted traffic”, which in-cludes Denial of Service (DoS) attacks and voice spam. They generate unwanted traffic toconsume the resources and annoy users. Part II of this thesis explores unauthorized infor-mation disclosure in VoIP traffic. Confidential user data such as calling records, identityinformation, PIN code and data revealing a user’s social networks might be disclosed orpartially disclosed from VoIP traffic. We studied both threats and countermeasures by con-ducting experiments or using theoretical assessment. Part II also presents a survey researchrelated to threats and countermeasures for anonymous VoIP communication.

Keywords: Voice over IP, Session Initiation Protocol, Realtime Transport Protocol, Net-work Security, Denial of Service, Timing Attack, Privacy and Anonymity.

i

AcknowledgmentsFirst and foremost I would like to express my sincere gratitude to my supervisor, Prof.Simone Fischer-Hubner, who has supported me throughout my thesis with her patience,knowledge and experience whilst giving me so much freedom to explore and discover newareas of Voice over IP security & privacy. I also would like to thank my co-advisor, Prof.Andreas J. Kassler, for many encouraging discussions regarding research and education.

I had the great fortune to work with those nice people in Computer Science Departmentat Karlstad University. For creating a great work environment, a sincere thank goes to allmy colleagues. I am especially grateful to Inger Bran for the helpful administrative support.I also want to thank Stefan Alfredsson and Jonas Karlsson for helping me on vulnerabilityanalysis lab configurations. Further, special appreciation is given to all and previous mem-bers of the Privacy and Security Group (PRISEC). They are Prof. Simone Fischer-Hubner,Prof. Stefan Lindskog, Dr. Thijs J. Holleboom, Dr. Leonardo A. Martucci, Hans Hedbom,Reine Lundin, Stefan Berthold, Tobias Pulls and Philipp Winter. I really enjoyed collabo-rating, discussing and exchanging ideas with such inspiring researchers. Moreover, greatthanks go to the people who make my life in Karlstad so enjoyable. I would like to thankPeter Dely, Marcel Cavalcanti de Castro, Stefan Berthold, Mohammad Rajiullah, AndreasLaven and Julio Angulo for organizing sports and games (gym, innebandy, soccer and Su-per.Mario on Wii). In addition, I also would like to thank those who provided deliciouscakes on Fredags Fika.

Before coming to Karlstad, I have had good opportunities to work with other researchinstitutes. My stay in Berlin at Fraunhofer FOKUS institute and Hasso-Plattner Institute(Potsdam) is a valuable experience because I started my early academic life there. Mysincere thanks must go to Prof. Thomas Magedanz, Dr. Sven Ehlert, Dr. Yacine Rebahi,Prof. Christoph Meinel and Dr. Feng Cheng for supporting me with valuable advice andco-authoring papers.

I would like to thank my family in China for letting me pursue my dream for so long andso far way from home. My deepest appreciation must go to my parents, Jinyi Zhang andMing Qian. I am forever indebted to them for their endless love and support. Furthermore,I would like to thank Mandi Zhang and Hui Xie for accompanying and encouraging me.

Finally, I want to thank C-BIC (Compare Business Innovation Centre) and .SE (Stif-telsen for Internetinfrastruktur) for their financial sponsorship of my research.

Karlstad, June 2012 Ge Zhang

iii

List of Appended PapersThis thesis is comprised of the following 10 peer-reviewed papers. References to the paperswill be made using the Roman numbers associated with the papers such as Paper I.

Part I – Unwanted traffic:

I. Ge Zhang, Simone Fischer-Hubner and Sven Ehlert: Blocking attacks on SIP VoIPproxies caused by external processing, Special Issue on Secure Multimedia Servicesof Journal of Telecommunication Systems, 45(1), pp.61-76, Sep, 2010, Springer.

II. Ge Zhang, Jordi Jaen Pallares, Yacine Rebahi and Simone Fischer-Hubner: SIPproxies: new reflectors? attacks and defenses, in proceedings of the 11th Joint IFIPTC6 and TC11 Conference on Communications and Multimedia Security (CMS’ 10),LNCS 6109, pp.142-153, Linz, Austria, May, 2010, Springer.

III. Ge Zhang and Simone Fischer-Hubner: Detecting near-duplicate SPITs in voicemailboxes using hashes, in proceedings of the 14th Information Security Conference(ISC’ 11), LNCS 7001, pp. 152-167, Xi’an, China, Oct, 2011, Springer.

Part II – Information disclosure:

IV. Ge Zhang, Simone Fischer-Hubner, Leonardo Martucci and Sven Ehlert: Revealingthe calling history on SIP VoIP system by timing attacks, in proceedings of the 4th

International Conference on Availability, Reliability and Security, (ARES’ 2009),pp.135-142, Fukuoka, Japan, March, 2009, IEEE computer society.

V. Ge Zhang and Simone Fischer-Hubner: Peer-to-peer VoIP communications usinganonymisation overlay networks, in proceedings of the 11th Joint IFIP TC6 and TC11Conference on Communications and Multimedia Security (CMS’ 10), LNCS 6109,pp.130-141, Linz, Austria, May, 2010, Springer.

VI. Ge Zhang and Stefan Berthold: Hidden VoIP calling records from networking in-termediaries, in proceedings of the 4th Principles, System and Applications of IPTelecommunications (IPTCOMM’ 10), pp.15-24, Munich, Germany, Aug, 2010, ACM.

VII. Ge Zhang: Timing attacks on a centralized presence model, in proceedings of IEEEInternational Conference on Communications 2011 (ICC’ 11), pp.1-5 Kyoto, Japan,June, 2011, IEEE communication society.

VIII. Ge Zhang: Analyzing keystroke patterns of PIN code input for recognizing VoIPusers, in proceedings of the 26th IFIP conference on Future Challenges in Securityand Privacy for Academia and Industry (IFIP SEC’ 11), AICT 354, pp.247-258,Lucerne, Switzerland, June, 2011, Springer.

IX. Ge Zhang and Simone Fischer-Hubner: Timing attacks on PIN input in VoIP net-works (short paper), in proceedings of the 8th Conference on Detection of Intrusions

v

and Malware & Vulnerability Assessment (DIMVA’ 11), LNCS 6739, pp.75-84, Am-sterdam, The Netherlands, July, 2011, Springer.

X. Ge Zhang and Simone Fischer-Hubner: A survey on anonymous Voice over IP com-munications: Attacks and defences, under submission.

Some of the papers have been subjected to some minor editorial changes.

Comments on my Participation

I am the principal contributor to all papers listed above. The ideas of these papers stemfrom the discussion from co-authors and myself. In addition, my contributions also includedesign of the testbed, implementation of the prototypes, writing proof-of-concept programsand conducting experiments for evaluations.

Most parts of the written material was done by myself. Paper II is a joint effort betweenKarlstad University and Fraunhofer FOKUS Institute and the discussion part of Section 4.3in Paper II was done by Jordi Jaen Pallares.

All the coauthors offered their help on proof-reading, commenting and revising thepapers.

Other Papers

Apart from the papers included in this thesis, I have also authored the following papers.

1. Ge Zhang, Sven Ehlert Thomas Magedanz and Dorgham Sisalem: Denial of ser-vice attack and prevention on SIP VoIP infrastructures using DNS flooding, in pro-ceedings of the 1st Principles, System and Applications of IP Telecommunications(IPTCOMM’ 07), pp. 57-66, New York City, USA, July, 2007, ACM.

2. Sven Ehlert, Ge Zhang, Dimitris Geneiatakis, Tasos Dagiuklas, Georgios Kam-bourakis, Jiri Markl and Dorgham Sisalem: Two layer denial of service prevention onSIP VoIP infrastructures, the International Journal for the Computer and Telecom-munications Industry (COMCOM), 31(10), pp.2443-2456, Jun, 2008, Elsevier.

3. Ge Zhang, Feng Cheng and Christoph Meinel: Towards secure mobile paymentbased on SIP, in proceedings of the 15th IEEE International Conference on Engi-neering of Computer-Based Systems (ECBS’ 08), pp.96-104, Belfast, UK, March,2008, IEEE computer society.

4. Ge Zhang, Feng Cheng and Christoph Meinel, SIMPA: a SIP-based mobile pay-ment architecture, in proceedings of the 7th International Conference on Computerand Information Science (ICIS’ 08), pp.287-292, Portland, USA, May, 2008, IEEEcomputer society.

vi

5. Sven Ehlert, Ge Zhang and Thomas Magedanz: Increasing SIP firewall performanceby ruleset size limitation, in proceedings of the 19th IEEE International Symposiumon Personal, Indoor and Mobile Radio Communications (PIMRC’ 08), VoIP Tech-nologies Workshop, pp. 1-6, Cannes, France, Sep, 2008, IEEE communication soci-ety.

6. Ge Zhang: An analysis for anonymity and unlinkability for a VoIP conversation, inproceedings of the 5th IFIP Primelife Summer School, AICT 320, pp.198-212, Nice,France, Sep, 2009, Springer.

7. Ge Zhang and Yacine Rebahi: Side effects of identity management in SIP VoIPenvironment, Information Security Technical Report, 16(1), pp.29-35, Sep, 2011,Elsevier.

vii

CONTENTS

ContentsAbstract i

Acknowledgements iii

List of Appended Papers v

Introductory Summary 1

1 Introduction 31.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Background 52.1 VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 The Session Initiation Protocol (SIP) [12] . . . . . . . . . . . . . . . . . . 62.3 The Realtime Transport Protocol (RTP) [13] . . . . . . . . . . . . . . . . . 9

3 Security requirements and mechanisms for VoIP 103.1 Security requirements for VoIP . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Classic attacks on VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.3 Security mechanisms in VoIP-related RFCs . . . . . . . . . . . . . . . . . 13

4 Research questions 15

5 Research methodology 16

6 Related work 176.1 Unwanted traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176.2 Information disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7 Contributions 207.1 Part I: Unwanted traffic in VoIP networks . . . . . . . . . . . . . . . . . . 207.2 Part II: Information disclosure in VoIP networks . . . . . . . . . . . . . . . 207.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

8 Summary of Papers 22

9 Conclusions and Outlook 25

Paper I: Blocking attacks on SIP VoIP proxies caused by external processing 33

1 Introduction 35

ix

CONTENTS

2 SIP-based VoIP 36

3 Related Work 38

4 Blocking Attacks 39

5 Two Attacking Examples 425.1 Blocking Attack Using High-latency DNS Servers . . . . . . . . . . . . . . 435.2 Blocking Attack Using High-latency Web Servers . . . . . . . . . . . . . . 465.3 Preliminary Summary of Blocking Attacks . . . . . . . . . . . . . . . . . . 48

6 Experiments 486.1 Measurements of Latency in the Real World . . . . . . . . . . . . . . . . . 486.2 Test Bed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.3 Attack Tests Using a High-latency DNS Server . . . . . . . . . . . . . . . 526.4 Attack Tests Using a High-latency Web Server . . . . . . . . . . . . . . . . 53

7 Defence Solutions 557.1 Proxy-based Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557.2 Cache-based Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567.3 Solution Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

8 Conclusion 62

Paper II: SIP Proxies: New Reflectors in the Internet 65

1 Introduction 67

2 Background of SIP and RFC 4474 68

3 Reflecting attacks using SIP proxies 69

4 Countermeasures 754.1 Unified certificate repository . . . . . . . . . . . . . . . . . . . . . . . . . 754.2 Alternative authentication methods . . . . . . . . . . . . . . . . . . . . . . 754.3 Encoding certificates into the SIP requests . . . . . . . . . . . . . . . . . . 76

5 Related work 78

6 Conclusions 78

Paper III: Detecting Near-Duplicate SPITs in Voice Mailboxes Using Hashes 81

1 Introduction 83

x

CONTENTS

2 Background 85

3 The problems 863.1 Collaborative detection architecture . . . . . . . . . . . . . . . . . . . . . 863.2 Near-duplicate SPIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4 Matching Algorithms 894.1 Coskun hash algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904.2 Nilsimsa hash algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

5 Experimental results 925.1 Sample collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925.2 Experiment and evaluation method . . . . . . . . . . . . . . . . . . . . . . 935.3 Result to detect unintentional near-duplicate SPITs . . . . . . . . . . . . . 945.4 Result to detect intentional near-duplicate SPITs . . . . . . . . . . . . . . . 95

6 Related Work 96

7 Conclusion 97

Paper IV: Revealing the calling history on SIP VoIP systems by timing attacks 101

1 Introduction 103

2 Voice over IP using SIP 104

3 Timing Attack 1063.1 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063.2 Attacking method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073.3 Testbed Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103.4 Testing and Testing Result . . . . . . . . . . . . . . . . . . . . . . . . . . 111

4 Countermeasures 113

5 Related Work 116

6 Conclusion and future work 117

Paper V: Peer-to-Peer VoIP Communications Using Anonymisation Overlay Net-works 119

1 Introduction 121

xi

CONTENTS

2 Background 1222.1 VoIP, codec and silence suppression . . . . . . . . . . . . . . . . . . . . . 1222.2 Anonymisation Overlay Networks (AON) . . . . . . . . . . . . . . . . . . 123

3 Related work 124

4 VoIP anonymization using AONs 1254.1 System model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254.2 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1264.3 Defensive method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274.4 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

5 Further threats 131


Paper VI: Hidden VoIP Calling Records from Networking Intermediaries 135

1 Introduction 137

2 Models 1382.1 Preliminaries: a VoIP model . . . . . . . . . . . . . . . . . . . . . . . . . 1382.2 A calling scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

3 Traffic analysis attacks 1413.1 Adversary model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1413.2 Basic notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1413.3 Attack methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

4 Protection methods 1454.1 Anonymity preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464.2 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1474.3 An example solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

5 Open issues 150

6 Related Work 154

7 Conclusion 155

Paper VII: Hidden VoIP Calling Records from Networking Intermediaries 159

1 Introduction 161

xii

CONTENTS

2 Models 1632.1 System model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1632.2 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

3 Short term attack and its prevention 1643.1 The linkabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643.2 A defending batch scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 165

4 Long term attack and its prevention 1674.1 How to make this attack easier? . . . . . . . . . . . . . . . . . . . . . . . 1694.2 A discussion of countermeasures . . . . . . . . . . . . . . . . . . . . . . . 169

5 Related Work 170

6 Conclusion 171

Paper VIII: Analyzing Key-Click Patterns of PIN Input for Recognizing VoIPUsers 173

1 Introduction 175

2 Background in VoIP flows 176

3 Attacking method 178

4 Experiments 1794.1 Data Collecting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1794.2 Data Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1804.3 Learning algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1804.4 Analysis and results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1814.5 Discussion on countermeasure . . . . . . . . . . . . . . . . . . . . . . . . 183

5 Related work 184

6 Conclusion 185

Paper IX: Timing Attacks on PIN Input in VoIP Networks (Short paper) 189

1 Introduction 191

2 Background in VoIP 192

xiii

CONTENTS

3 Attacks 1933.1 Recover inter-keystroke delays . . . . . . . . . . . . . . . . . . . . . . . . 1943.2 The impact of networking conditions . . . . . . . . . . . . . . . . . . . . . 1943.3 Reducing the search space . . . . . . . . . . . . . . . . . . . . . . . . . . 195

4 Experiments 1964.1 Priori-knowledge preparation . . . . . . . . . . . . . . . . . . . . . . . . . 1964.2 Results for PIN inference . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

5 Related work 198


7 Appendix: Inter-stroke delay of key pairs 200

Paper X: A Survey on Anonymous Voice over IP Communication: Attacks andDefences 203

1 Introduction 205

2 Background of VoIP 2062.1 Protocols and Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . 206

3 Terminology and VoIP Anonymity 2103.1 General Terminology of Anonymity . . . . . . . . . . . . . . . . . . . . . 2103.2 Techniques and Implementations for Anonymous Communications . . . . . 2113.3 VoIP linkability and anonymity . . . . . . . . . . . . . . . . . . . . . . . . 2123.4 Attacks on VoIP anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 2133.5 Adversary Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

4 Survey of Proposed VoIP Anonymity Attacks 2154.1 Attacks Based on Unencrypted Signaling Messages [26, 27] . . . . . . . . 2164.2 Attacks based on Biometrics Profile . . . . . . . . . . . . . . . . . . . . . 2174.3 Flows correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2204.4 Topology Analysis on P2P VoIP Networks [16] . . . . . . . . . . . . . . . 2254.5 A summary of attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

5 Survey of Proposed VoIP Anonymity Mechanisms 2275.1 Pseudonym based defenses . . . . . . . . . . . . . . . . . . . . . . . . . . 2275.2 Padding based defense [46] . . . . . . . . . . . . . . . . . . . . . . . . . . 2305.3 Flow correlation resistance . . . . . . . . . . . . . . . . . . . . . . . . . . 2305.4 Router selection based defenses . . . . . . . . . . . . . . . . . . . . . . . 234

6 Conclusion 236

xiv

Introductory Summary

1. Introduction 3

1 Introduction

For almost one hundred years already before the emergence of the Internet, realtime voicecommunication across long distances has been implemented using Public Switched Tele-phone Network (PSTN). In recent decades, the Internet has quickly established itself asan excellent platform for data and multimedia content distribution. This development hasmotivated telephony service providers to consider new business models that can take advan-tage of Internet technologies and the protocols. Voice over IP (VoIP), the transmission ofvoice traffic using the Internet Protocol, is designed to provide telephony equivalent func-tions with additional benefits like cost saving and flexibility [1]. For these benefits, moreand more people nowadays begin to make phone calls using VoIP (e.g., Skype [2]) on theircomputers. In addition, many companies also consider to setup VoIP infrastructures to re-duce telephony costs. Nevertheless, the benefits of VoIP come along with some problems,one of which is the impact brought by security and privacy threats in the cyber space. Theenvironment of VoIP makes it more vulnerable than PSTN: Many VoIP deployments use aninterconnected network environment (e.g., the Internet) with standardized protocols, whilePSTN is a closed network environment with proprietary protocols. Thus, it is easily possi-ble for adversaries to find and exploit the vulnerabilities of VoIP implementations as wellas to access the VoIP network infrastructures to launch attacks. Concrete examples havebeen presented in the real world: in 2006, an attacker was arrested and charged with mak-ing more than $1 million by breaking into VoIP services and illegally routing calls throughtheir lines [3]. Thus it is unlikely for current VoIP to completely replace PSTN consideringthe security and privacy issues. Therefore, reducing security and privacy threats for VoIP isan important task and many research projects have been conducted towards this goal [4–8].

VoIP has two kinds of vulnerabilities, as summarized in [9]: One kind is the vulnera-bilities of VoIP protocols and their implementations. The vulnerabilities of VoIP protocolsneed to be assessed by analyzing standardized VoIP protocols and understanding the vul-nerabilities present in the protocols. This will be helpful for the development of securitymechanisms that can be incorporated into the protocol specifications. The countermea-sures against attacks can be easier to design if the potential flaws and their exploitations areunderstood. The other kind is inherited vulnerabilities coming from existing network in-frastructures (e.g., a router on the network layer, or a DNS server on the application layer).VoIP applications rely on these infrastructures and thus the vulnerabilities on them mayaffect VoIP as well. In this way, all components in a VoIP network need to be protected,no matter it is a VoIP components or not. In addition, the interface between VoIP and non-VoIP components needs to be carefully designed. Compared to many popular applicationson the Internet like email and web surfing, VoIP has higher requirement on real time. Thus,security mechanisms need to be designed carefully in regard to performance tradeoff.

4 Introductory Summary

1.1 Scope

In this thesis, we have studied the VoIP services using IETF standardized protocols ratherthan those using proprietary ones. Although Skype [2], a VoIP service using proprietaryprotocols, currently gains a significant success on business, it is difficult to analyze itsdetails. Also it is not easy to setup a testbed to validate assumptions. In contrast, IETFstandardized protocols are well documented and published for analysis. Moreover, thereare a lot of open source VoIP products using standardized protocols available for both ser-vices and endpoints. Therefore, it has been feasible for us to implement test environmentswhich allow us to evaluate our ideas and hypothesis in practice. In addition, standardizedprotocols have also been widely adopted by industry [10]. For these reasons, our researchis only focused on IETF standardized protocols. Two kinds of protocols are especiallyimportant for VoIP. One is the signaling protocol which does not transmit voice packets,but is designed for establishing, controlling, modifying and terminating communications.Another is the voice transport protocol which transports voice traffic with realtime features.In this thesis, the scope of our research focuses on the Session Initiation Protocol (SIP) forsignaling and the Realtime Transport Protocol (RTP) for voice transport.

The types of security and privacy studies in this thesis are unwanted traffic and infor-mation disclosure. Unwanted traffic may be caused by Denial of Service (DoS) attacks andSpam. These threats significantly reduce the availability of services and the user quality ofexperience. Information disclosure impacts confidentiality and privacy. VoIP traffic maydisclose information about a user’s secrets like PIN code or her social relations. Further-more, there are instances where one also would like to make calls while staying anonymous.This thesis investigates both issues.

1.2 Objective

The objective of this thesis is to define and elaborate unexplored security and privacy risksin VoIP networks, especially including (1) unwanted traffic, like Denial of Service (DoS)attacks and Spam; and (2) information disclosure, like profiling Call Detail Records (CDR),buddy lists and users’ PIN codes. We are also interested in finding out how easily theserisks can be exploited by attackers in the real world, and in consequence, how high therisks are for VoIP services and users. We furthermore follow the objective to elaborate anddevelop several defending solutions to eliminate or minimize the impacts caused by therisks. Finally, we would like to know which solutions are the most practical and efficient.

1.3 Structure

This thesis presents an introductory summary and a collection of 10 papers in the area ofsecurity & privacy of VoIP services that were either authored or co-authored by the au-thor of this thesis. The rest of the introductory summary is organized as follows. Section

2. Background 5

2 presents fundamental background on standardized VoIP protocols. Section 3 lists somegeneral security and privacy considerations for VoIP services. Further, Section 4 outlinesthe research questions of this thesis and Section 5 discusses the research methodologies thatwe applied. Related work to this research is outlined in Section 6, followed by a summaryof our contributions in Section 7. Section 8 summarizes the contents of the 10 included pa-pers which are divided into two parts: unwanted traffic and information disclosure. Finally,Section 9 provides the main conclusions of this thesis with an outlook on future work inthis direction.

2 Background

This section presents with the basic concepts of VoIP and its standardized protocols.

2.1 VoIP

The Internet Protocol (IP) [11] is the standard for data transactions. Content of email andweb pages are data and thus those applications can be built on the top of IP. When voicetransport is combined with IP, two basic functions are required: (1) A signaling functionfor establishment, modification and termination of a voice conversation, and (2) a voicetransmission function that carries voice traffic. There are both standard protocols and pro-prietary protocols for the implementation of the two functions. The Internet EngineeringTask Force (IETF) standardizes protocols like Session Initiation Protocol (SIP) [12] for sig-naling function and Realtime Transport Protocol (RTP) [13] for voice transmission func-tion. The specifications of the protocols are published as Request for Comments (RFC) onthe IETF’s homepage [14]. In contrast, the details of proprietary protocols, like Skype [2],are not available to the public, but are maintained internally.

Built on IP networks, VoIP has its own advantages and disadvantages compared withPSTN. The major advantages of VoIP include:

1. Low costs: By allowing voice to be converged on existing IP networks (e.g., Inter-net), the costs for deploying and operating VoIP services are lower than traditionalPSTN. Another reason for low costs is that VoIP infrastructures can be software-based. Especially, there are a number of open source VoIP products (e.g., kphone[15], kcall [16], X-Lite [17], SER [18], OpenSIPS [19]). Installing these free soft-ware products on computers or smart phones, instead of buying expensive PSTNequipments, saves money for both users and service providers.

2. Flexible and extendable features: VoIP can be converged on IP networks alongwith other applications. Therefore it can provide more features than traditional PSTNservices. For example, it is easy to integrate audio, video, game and email features


together with VoIP. In addition, software-based infrastructures can be easily updated.In contrast, PSTN infrastructures are not flexible since they are mostly hardware-based and are designed for specific purposes.

Nevertheless, there are also some disadvantages with VoIP as well:

1. Security & privacy threats: VoIP is deployed on interconnected IP networks (e.g.,the Internet), an open network environment with public protocols. Thus, it is pos-sible for unauthorized users to access the network infrastructure. In addition, VoIPapplications need support from other applications (e.g., DNS servers), the vulnera-bilities of those can pose a risk to VoIP services as well. In comparison, within aclosed network environment and proprietary protocols, the costs of intruding PSTNnetworks is higher than the costs of intruding VoIP networks.

2. Quality loss: There are many quality issues for VoIP that do not exist for PSTN.Since PSTN infrastructures are implemented for specific purpose and the resourcesare reserved for each individual, acceptable quality can be guaranteed for PSTN.Nevertheless, IP networks are designed to support multiple purposes without re-source reservation. Thus, load of the network varies from time to time. As a result,the quality of data transmission cannot be assured, which may lead to unexpectedlatency and packet loss. As telephony services are time-sensitive, these quality prob-lems become the most essential barriers for VoIP applications. In addition, it ischallenging to tackle both the security & privacy threats and the quality loss. For in-stance, a security mechanism applied to a VoIP system may introduce more latencysince additional operations (e.g., encryption/decryption) are needed. This might leadto quality loss.

2.2 The Session Initiation Protocol (SIP) [12]

2.2.1 SIP message format

SIP is a text-encoded signaling protocol based on some elements inherited from HTTP [20]and SMTP [21]. SIP users are identified by a Uniform Resource Identifier (URI) [22], auniversal string with a pair of domain name and user name registered for this domain (e.g.,sip:[email protected]). SIP transactions follow a request and a response manner. Someexamples of SIP requests for voice conversation are given below:

• INVITE: Initiates a SIP transaction to setup a session.

• ACK: Acknowledgement of final response to INVITE.

• BYE: Terminate an undergoing session.

2. Background 7

Figure 1: An example of SIP INVITE request

There are a variety of SIP response types. SIP response codes are divided into sixclasses by the first digit of the code:

• 1xx: Provisional – the request has been received but the processing is unfinished.

• 2xx: Success – the request has been received and accepted.

• 3xx: Redirection – the request should be delivered to another place.

• 4xx: Client error – the request cannot be processed due to error in the request.

• 5xx: Server error – the request cannot be processed due to server’s failure.

• 6xx: Global failure – the request cannot be processed at any server.

Both SIP requests and responses are following the message format including three el-ements: (1) the first line, containing either a request method or a response code, a requestURI and the SIP version; (2) the headers, containing a list of message headers with valuesfor SIP transactions; (3) the message body, can be text-based content for different purposes.An example message for the SIP INVITE request is shown in Figure 1, indicating that thecaller of “sip:[email protected]” invites the callee of “sip:[email protected]” for a VoIP conversa-tion. Several message headers dedicated to routing purposes are explained as follows:

• To: indicates the URI of the message recipient.

• From: indicates the URI of the message originator.

• Contact: indicates one or more SIP URIs of the originator by which the recipient cancontact with the originator directly. They can be different from the one in the Fromheader.


Figure 2: SIP traffic flows across 2 domains

2.2.2 SIP architecture

A SIP network consists of different entities. For simplification, we classify them into twotypes: Server and User Agent (UA). A server provides services (e.g., registering users, lo-cating users and relaying traffic) to the users within a service domain. A UA is a user’sequipment connected to the networks to make or answer calls. With regard to SIP net-work topology, the architecture can be either Client/Server (C/S) or Peer-to-Peer (P2P), asfollows:

• Client/Server (C/S): In this architecture, there are centralized servers deployed toprovide different services (e.g., user location, traffic relay, session management, etc).The users rely on the servers to build conversations. In this case, a service providercan easily manage calling requests and traffic. However, the requirement on thecapability of servers is high and the whole systems will be brought down in case ofthe failure of servers.

• Peer-to-Peer (P2P): In a P2P architecture, a user relies on other peer nodes for theprovision of services. There might be still servers deployed, but the servers onlyprovide limited functions (e.g., enable users to login to the network).

A SIP call may cross several SIP domains, an example of which is shown in Figure 2.Alice, the caller, is located in the domain kau.se and Bob, a callee, is located in iptel.org.Initially, Alice sends an INVITE request to one of the local proxies. This INVITE requestindicates that she wants to talk with Bob at iptel.org. Then, the local proxy forwards thisINVITE request to the remote proxy at iptel.org. The request is finally delivered to theUA of Bob. If Bob wants to accept the call, his UA will reply with a 200 OK responseback through the proxies. After Alice has sent an ACK message to confirm the request,the signaling handshaking is accomplished. Thus, Alice and Bob will build a peer-to-peervoice session in which they can talk with each other by means of exchanging voice packets.Note that voice packets are not routed by SIP proxies. When Alice wants to tear down the

2. Background 9

conversation, her UA will send a BYE request to Bob, and Bob’s UA will reply with a 200OK response. Then the call is terminated.

Sometimes SIP proxies require support from other application servers. In Figure 2, theproxies in “kau.se” domain need to resolve the domain name “iptel.org” before forwardingthe INVITE message. Thus, the proxy may contact a DNS server for a recursive DNSquery of “iptel.org”. The message cannot continue to be processed until a DNS answer isreceived. It is named an external processing since the processing depends on a non-VoIPcomponent. Papers I and II discuss the security risks related to external processing.

2.2.3 SIP presence message

The primary function of SIP is to deal with voice sessions, but it also has extensive func-tions such as conveying presence information, which is to express whether someone isavailable or not. When a user changes status (e.g., from “idle” to “busy”), his/her UA willmulticast the up-to-date presence information to his/her buddies. In this way, a caller canget a brief overview of a callee’s willingness before launching a call. Therefore, presenceservices provide a better quality of experience to users. Paper VII discussed the problemof information disclosure from presence traffic.

2.3 The Realtime Transport Protocol (RTP) [13]

Once a session is established, voice packets will be transmitted using a voice deliveryscheme. For instance, the Realtime Transport Protocol (RTP) [13] is the IETF standardizedvoice delivery protocol. RTP provides end-to-end delivery services for data with real-timecharacteristics over IP networks. In a session, the communication partners constantly sendRTP packets to each other in a fixed time interval (e.g., 20 ms). The payloads of RTPpackets are encoded and decoded from analog audio signals by a codec algorithm (e.g.,G.711 [23] and Speex [24]). Speech signal is sampled at 8-64k samples per second (Hz)by a user-agent. As a performance requirement, the RTP packet inter-arrival time is fixedlyselected between 10 and 50 ms, with 20 ms being the common case. Given a 8kHz voicesource, we have 160 samples per packet with 20 ms packets interval. In addition, RTP notonly can carry payload for encoded voice, but also is used to indicate a user’s keystrokes onthe phone pad. It is used by Interactive Voice Response (IVR) which enables a telephoneuser to interact with an automatic answering machine. For example, a user can be given amenu and asked to make a choice by pressing a number button after her call is established.Paper VIII and IX discuss the problem of information disclosure on keystroke from RTPtraffic.

The communication partners must have already negotiated the same codec for encod-ing/decoding. Two codec properties are related to Paper III, V and VI in this thesis:

• Silence suppression: It allows discontinuous voice packets transmission [25], which


is a capability to recognize the silent periods and to stop producing voice packetsduring these periods. Thus bandwidth can be significantly saved with little perfor-mance impact. If silence suppression is not applied, the voice packets are generatedconstantly with a fixed time interval (e.g., 20 ms).

• Coding bit rates: Two types of coding bit rates can be distinguished: Fixed Bit Rate(FBR) and Variable Bit Rate (VBR). FBR codec (e.g., G.711) employs a fixed code-book with constant bit rate. Thus the generated voice packets have the same packetsize. On the other hand, VBR codec (e.g., Speex) can employ an adaptive codebookwith variable bit rate. It exploits the fact that some sounds are easier to representthan others. For instance, fricative sounds require lower bit rates than vowels. Thusthe fricative sounds need fewer bits to be encoded to save bandwidth. In this way,UAs produce voice packets with different packet sizes.

The transmission of RTP packets is Quality of Service (QoS) sensitive with three issuesthat are frequently taken as criteria to evaluate:

• End-to-end delay: It indicates the time interval between encoding a voice packetat the sender and decoding it at the recipient. The delay will affect the quality ofexperience when it reaches a certain threshold. According to [26], users will notice asignificant hesitation in their partners’ response if the end-to-end delay is above 250ms.

• Delay jitter: It refers to the variation of packet interarrival time. It is caused by net-work congestion and improper routing during the transmission of voice packets. As asolution, the receiver can buffer packets to eliminate delay jitter. In return, however,buffering packets introduces more end-to-end delay and impacts interactivity.

• Packet loss: Voice packets might be accidently dropped during the transmission. Re-transmission of lost voice packets is not helpful since the packets are time-sensitive.Fortunately, VoIP applications can endure a certain level of packet loss. The level ofendurance depends on the codec design.

3 Security requirements and mechanisms for VoIP

VoIP is applied in an open and insecure environment. Therefore, additional security en-hancements for VoIP are necessary. This section introduces basic security requirementsand threats to VoIP with its security mechanisms.

3. Security requirements and mechanisms for VoIP 11

3.1 Security requirements for VoIP

The security requirements for SIP services are examined according to basic security com-ponents (confidentiality, integrity, availability) defined in [27].

• Confidentiality means that secret information should not be disclosed to unautho-rized parties. When it comes to VoIP, secret information includes content of signalingand voice traffic. Further, VoIP service providers often wish to conceal their networkconfigurations as well as to withhold user information (e.g., calling history).

• Integrity means that data should not be modified without authorization or in animproper manner. There are two types of integrity: data integrity and data sourceintegrity. Regarding VoIP services, data integrity means that VoIP traffic should notbe modified by unauthorized intermediaries. Data source integrity means that thesource of traffic should not be an impersonated one.

• Availability indicates that the services should be accessible upon demand by autho-rized users. Considering the costs for infrastructures, it is unlikely for a VoIP serviceprovider to offer services with unlimited capacity. Similar to other online applica-tions, VoIP service providers deploy servers by assuming a statistic model for thefuture usage. However, sophisticated attackers may manipulate their use to breakthe assumed statistic model on purpose. In this way, legitimate users may be un-able to access the service which they should get. Protection on availability aims atpreventing that the statistical model is broken.

• Privacy refers to the human rights of individual users. More than one hundred yearsago, the two US lawyers Warren and Brandeis defined that privacy is the right tobe let alone [28]. Alan Westin has defined privacy as “the claim of individuals,groups and institutions to determine for themselves when how and to what extentinformation about them is communicated to others” [29]. Westin also believes thatemerging technologies can impact on privacy. In the context of VoIP, it includes VoIPanonymity which enables users to withhold their identities when placing calls tohind who is communicating with whom. Thus an adversary cannot identify the usersfor a given call. Anonymous VoIP is important for many users not only for privatepurposes, but also journalists, human rights workers and the military would often liketo keep secret with where they are communicating. Yet another privacy requirementis about users’ right to refuse unsolicited calls, for instance, from telemarketers.

3.2 Classic attacks on VoIP

Classic attacks on VoIP are summarized as follows.


• Eavesdropping: It is a threat against confidentiality. For instance, network inter-mediaries can sniff VoIP traffic including voice packets and signaling messages byusing some traffic capture tools (e.g., wireshark [30]). From eavesdropped traffic, anattacker may be able to read the conversation content or signaling credentials.

• Traffic tampering: It is a threat against data integrity. It refers to a situation wherean unauthorized intermediary alters traffic. For example, given that Alice sends anINVITE request to call Bob, an intermediary can alter the first line and To header inthe request to make Alice talk with another person instead of Bob.

• Replay: It is a threat against data source integrity. A replay attack refers to capturingtraffic and re-sending them again after a period of time. If the traffic contains creden-tials, it may enable unauthorized users to access VoIP services. A replay attack thatleads to financial loss of legitimate users is called billing attack [31].

• Identity spoofing: It is a threat against data source integrity. Attackers may initiatecalling requests with fake identities to avoid being traceable or attackers may presentspoofed identities to cheat callees.

• Denial of Service: It is a threat against availability. Denial of Service (DoS) aimsat preventing legitimate users to access VoIP services or at making the services tem-porarily unavailable. An attacker can mount attacks on SIP services by depleting re-sources (e.g., CPU, memory and bandwidth) of corresponding SIP proxies [32]. AsVoIP is time-sensitive, services may suffer more from DoS than other non-realtimeservices (e.g., email).

• Spam: It is a threat against privacy in the sense of the right to be alone. Spam is fore-seen to appear on VoIP due to its low cost and programmable VoIP UAs. It is namedas SPam over Internet Telephony (SPIT). A SPIT client could automatically launchcalls to a number of VoIP users and then play a pre-recorded audio in a conversation.There might be two kinds for a SPIT, namely online SPIT and offline SPIT. In onlineSPIT, the callee of a SPIT is available and thus the callee needs to decide whetherto answer it or not. Therefore, the online SPITs annoy users by continuously draw-ing their attentions. In contrast, the offline SPIT means that the callee of a SPIT isnot available and cannot make an answer personally. In this case, the SPIT will beredirected to and answered by the callee’s voice mailbox server. As a result, a user’svoice mailbox might be filled up with junk voice messages and leaves no room foruseful ones.

• Traffic analysis: It is a threat against privacy or confidentiality of communications,depending on whether the victim is an individual or an organization. Attackers canprofile secret information (e.g., call patterns, calling records and social relations)from VoIP traffic using data mining algorithms.

3. Security requirements and mechanisms for VoIP 13

Figure 3: The HTTP Digest authentication adapted in SIP

3.3 Security mechanisms in VoIP-related RFCs

There are some security and privacy specifications that have been standardized by the IETF,classified as protections of signaling, voice traffic and underlayers respectively.

3.3.1 Security mechanisms for signaling traffic

In RFC 3261 [12], RFC 3329 [33] and RFC 4474 [34], several security mechanisms arerecommended to secure SIP services. These security mechanisms are summarized as fol-lows:

• HTTP Digest authentication: HTTP Digest [35], a stateless, challenge-based mech-anism, provides source authentication and anti-replay protection. It can be used forboth proxy-to-user authentication and user-to-user authentication. An example ofthis mechanism is illustrated in Figure 3. The user first sends an INVITE requestto a proxy. Then, the proxy responses with a “407” message containing a uniquenonce (a random number). The user receives this message and generates a hash di-gest for the combination of the nonce and owned password. Thus, the user sends theINVITE request again including the generated hash digest. Since the secret knowl-edge (the nonce and user’s password) is shared with the proxy, the hash digest canbe re-generated by the proxy to authenticate the source of this request. It is difficultfor an eavesdropper to capture the plain text of a password since only a hash digestis transmitted over the network. Furthermore, by hashing a password with a nonce,replay attack can be efficiently prevented.

• S/MIME: Both message integrity and confidentiality can be ensured by carryingS/MIME [36] bodies. A signature for part of the message will be generated andattached in order to ensure that the content is not modified during the transmission.Moreover, the message payload and some headers can be encrypted to protect againsteavesdropping attacks. However, the integrity of some header fields, which are al-lowed to be modified by intermediaries (e.g., Via), cannot be protected by the signa-ture. Similarly, the fields of some message headers for routing purpose (e.g., To, Via)must be kept in plain text during transmission.

• Inter-domain authentication: To prevent identity fraud problems, an inter-domainauthentication has been proposed in RFC 4474 [34]. Its purpose is to authenticate


Figure 4: The mechanism of inter-domain authentication for message source

the originator of an inter-domain SIP message. The method is shown in Figure 4.For each outgoing message to other domains, the SIP proxy in the caller’s domaingenerates a hash digest for this message. The digest is signed by the caller’s proxywith its private key. The generated signature is encoded in a new header field Identityadded to the original SIP message. Furthermore, the SIP proxy attaches another newheader field Identity-info, which contains the Uniform Resource Locator (URL) [37]where the certificate can be fetched from. Then, this SIP request is forwarded to thecallee’s domain. It is regulated that each certificate must be provided by its domainitself. That is, in a SIP message, the URL indicated in the Identity-info field and theoriginator domain indicated in the From field should be matched. For each incomingmessage from other domains, the SIP proxy in the callee’s domain first downloadsthe certificate according to the URL given in the Identity-info field. The public keyextracted from the certificate is used to decrypt the signature contained in the Identityfield. Then, a hash digest will be recomputed for the request. The result is used tobe compared to the newly generated hash digest. The proxy will continue to processthe message only if the two values are equal. This mechanism is recommended to bedeployed in future SIP services to prevent SPAM [38].

3.3.2 Security mechanisms on voice traffic

• Secure RTP (SRTP): SRTP [39] is a common security scheme in which commu-nication parties share keys and encrypt/decrypt payloads of RTP packets. However,RTP headers are not encrypted since RTP headers are required to be in clear textto allow for billing purposes and header compression. This means that RTP headerfields are still available to intermediaries despite of the protection.

• Zimmermann RTP (ZRTP): ZRTP [40] is a mechanism to agree on a session keyfor building SRTP sessions based on the Diffie-Hellman key exchange algorithm.The scheme does not rely on PKI. Instead, the communicating parties verbally cross-check a shared value displayed at both UAs to ensure the end-to-end security.

4. Research questions 15

3.3.3 Security mechanisms at lower layers

Since SIP and RTP operate on the application layer of the TCP/IP model, the securitymechanisms from lower layers can also protect them.

• TLS: Transport Layer Security (TLS) [41], working at the transport layer, providessource authentication, message authentication and message confidentiality, based ona Public Key Infrastructure (PKI). There are three phrases to build a TLS connectionbetween two end-points: First, two end-points negotiate for supported cryptographicalgorithms. Second, two end-points exchange a symmetric key and authenticate eachother. Finally, they communicate with each other using the symmetric key for en-crypting messages.

• IPSec: IPSec [42] stands for IP Security, which is designed by IETF to provide se-curity at the network layer using a collections of techniques (authentication header(AH), encryption security protocol (ESP) and internet key exchange (IKE)). AH pro-vides authentication to IP packets, while ESP offers security services including bothauthentication and confidentiality.

4 Research questions

In this section, three underlying research questions of this thesis are outlined.

• Question 1: What are potential unexplored threats in a SIP VoIP network withregard to availability, confidentiality and privacy by means of unwanted traffic andinformation disclosure?

This question is discussed in all listed papers except Paper V and X. Paper I and IIproposed two kinds of DoS attacks in a SIP VoIP network, one against SIP infrastruc-tures and another against web servers. Paper III discusses a VoIP spam threat whichautomatically generates SPITs using a Text-to-Speech synthesis engine. Paper IV, VIand VIII present threats to profile calling detail records, such as “who called whom”.Paper VII and IX discuss methods to profile a victim VoIP user’s social network andPIN code from traffic respectively. None of these threats has been explored in theoryor in practice before.

• Question 2: How far are existing security and privacy mechanisms sufficient tocounteract these threats and what are their shortcomings?

This question is investigated in each of the papers mentioned above. The protectionschemes from both IETF standardization and related research work have been dis-cussed to see whether they can solve the problems. In addition, Paper X provides acomprehensive overview of the state of the art on anonymous VoIP communicationresearch including threats and countermeasures.


• Question 3: How can new countermeasures be designed for minimizing or prevent-ing the consequences caused by these threats efficiently in practice?

The main objective of this thesis is to improve the security and privacy of currentVoIP services. Therefore, it is necessary to develop novel solutions to eliminatethe threats explored under Question 1 if the answer to Question 2 is negative. Torealize this goal, we design, discuss and evaluate solutions for each vulnerability.The proposed countermeasures are presented in each paper.

5 Research methodology

The research methods conducted in this thesis include: literature review, theoretical anal-ysis, ideas development, quantitative experiments and data analysis. The detail of eachmethod is described in [43]. Below, we describe how we applied these research method-ologies to address the questions above.

Question 1: Firstly, we studied literatures including VoIP specifications and otherrelated papers on network security (literature review). We found several vulnerabilitiesthat may exist on VoIP networks (hypothesis formulation). To validate our hypothesis, weadopted different methods.

• Paper I and II: We built testbeds with open source VoIP software to simulate the realVoIP networks. We also prototyped attacking tools. Since Papers I and II aim toinvestigate DoS attacks, we measure the attacking impact in terms of service per-formance. This method is defined in [44] as a performance evaluation. First, wemeasure the maximum load which a service can handle without being attacked andtake this load as a benchmark. Then, we restart the measurement with attacks underdifferent parameters to find out how much the load will be reduced. The amount ofreduction reveals the attacking impact.

• Paper IV: We setup a testbed directly connected to the Internet. We collected theround trip times of several SIP requests which may trigger the testbed to downloadcertificate from the Inernet, and then we compared on the round trip times. Notethat the data we collected is public information and we did not risk or interrupt theservices in the real world: Our experiments only generated a reasonable amount ofwell-formed http/https traffic to the Internet.

• Paper III, VIII and IX: In Paper III, we generated artificial spam traffic based on anonline corpus of message spam. In paper VIII and IX, we invited around 40 studentsand collected their keystroke flows using pseudonyms. We applied several learningalgorithms and measured the recognition accuracy.

• Paper IV and VII: We performed theoretical analysis on the attacks described in

6. Related work 17

Paper IV and VII. We employed inductive approach to propose formalized modelsfor the threats. According to [44], this method is defined as analytical modeling.

Question 2: We reviewed RFCs, books and papers with regard to defensive solutions(literature review). Based on analytical modeling and quantitative experiments, we foundthat proposed methods are mostly insufficient to counteract the attacks that we had ex-plored. In addition, Paper X conducted a survey on anonymous VoIP communications andidentified the open problems as well as the research challenges.

Question 3: We applied the evaluation research method [43] to answer this question.We enumerated possible defensive solutions for the aforementioned threats. Then, we an-alyzed advantages and disadvantages of each solution theoretically (theoretical analysis).In Paper I and II-V, we also implemented and deployed solution prototypes in our testbed.Thus we repeated the attacks and analyzed whether the impacts can be reduced with thesecountermeasures (quantitative experiments and data analysis). Due to the constraints ondata collection, we only discussed the countermeasures theoretically in Paper VI-IX.

6 Related work

This section summarizes research work which is related to this thesis, on unwanted trafficand information disclosure respectively, and briefly shows how this thesis has advancedstate of the art.

6.1 Unwanted traffic

Denial of Service: Sisalem et al. [32] classified different types of DoS attacks targeting SIPinfrastructures. They developed a taxonomy of attacks by different exploitable resources,including CPU, memory and bandwidth, to reduce the performance of a victim SIP en-tity. A stateful SIP proxy has to consume memory resources to keep the transaction statesof unfinished SIP transactions. Therefore, stateful SIP proxies are especially vulnerableto INVITE flooding attack, in which an attacker floods SIP proxies with only INVITEmessages to create a large number of broken transactions. Sengar et al. [45] proposed amachine learning method to detect INVITE flooding attacks. It is an anomaly detectionsystem, in which they firstly characterized the distributions of INVITE and other messagesin legitimate SIP traffic. They can later detect attacks if the distributions become abnor-mal. Moreover, [46–48] proposed specification-based detection methods using SIP statemachine models to counter INVITE flooding attacks. Similarly Geneiatakis et al. [49] pro-posed a detection methods to prevent INVITE flooding using Bloom filter, which generatesa dynamic whitelist to filter suspect traffic. Conner et al. [50] proposed a ringing-based DoSattack to consume memory resources of stateful SIP proxies. Different to INVITE flooding,this attack exploits the potential long time 180 Ringing state. Further details of DoS attacks


on SIP VoIP and preventions are available in the survey by Ehlert [51]. The DoS attacks inour research are different with previous work. One of the threats we investigated is to blockSIP proxies by exploiting external infrastructures (e.g., a DNS server and a HTTP server).These risks have not been studied before. Another is to take SIP proxies as reflectors toattack HTTP servers in the network. In the context of this thesis, our countermeasures areon two levels: one is on the protocol level in which we revise the protocols to eliminate thisvulnerability and another is on the implementation level in which we implement a cachescheme to enhance the performance of a SIP proxy. Our solutions are based on prevention,instead of detection. One of the benefits of prevention is that prevention can minimize theattacking impacts during the attacks. Therefore, the damage caused by attacks has beeneliminated from the beginning, whereas, in most cases, detection works only after the dam-age actually happens. It is too late as the damage already occurs and easily cause detectionfalse alarm.

Spam: A popular scheme to combat VoIP spam is to use black lists or white lists toindicate the trust level. For instance, Skype users [2] can customize their configurationsto allow being called by anyone or only by the users in their buddy lists. The unclassifiedcalls from the users in a gray-list can be temporarily rejected [38, 52]. Balasubramaniyanet al. [53] generate reputations for VoIP users based on the call durations of their previouscalls. It is motivated by the observation that a legitimate user typically makes longer callsthan a SPITer. Similarly, Zhang et al. [54] use cumulative online duration to calculate thereputation value. The less time a VoIP user is online, the less calls he/she can launch.This scheme prevents the SPITers who register new accounts for SPITing. A Turing testtells whether the caller is a human or an automatic spam generator. Markkola et al. [55]implemented a prototype of audio CAPTCHA [2]. It says 5 random digits and requires acaller to correctly input them for the call being processed. Quittek et al. [56] proposed ahidden Turing test based on the factor that people usually greet each other at the beginningof a telephone conversation, which results in alternative short periods of silent and speech.SPITers typically do not react to greeting, and then can be detected. Different to previouswork, we examined a VoIP spam method which can morph itself to avoid being detected.Our countermeasure takes VoIP flow features to cluster spam traffic.

6.2 Information disclosure

Information hiding on signaling flows: As SIP messages are not mandatorily encrypted,Peterson [57] and Shen et al. [46] summarized privacy-sensitive message fields in SIP.The identities can be replaced by the a trusted third party with randomized pseudonyms.Karopoulos et al. [58] proposed a framework to encrypt caller and callee’s identities. Un-fortunately, it is not enough to only protect signaling traffic: Voice flows can also revealsecrets.

Traffic analysis attacks on voice flows: Some VoIP users make calls over commercialrelays for anonymity. Wang et al. [59] demonstrated that such a solution is vulnerable: An

6. Related work 19

attacker can embed watermarks into the encrypted VoIP flow. In this way, an attacker canfind out who called whom by encoding and decoding the watermarks on both side of therelay. Verscheure et al. [60] proposed an attack to reveal calling records by exploiting thehuman conversation pattern: When one speaks, the other usually listens. This “alternate inspeaking and silence” represents a probabilistic rule of VoIP communication. Taking thisinto account, the caller and the callee’s flows are probabilistically linkable if the attackerscan detect the silence and voice period for a flow. This attack is mainly against those VoIPsystems which support silence suppression. These two papers are only focused on attacksand no countermeasure solutions are given. We provided a solution to counteract againstboth of the attacks in Paper V, which is based on packet dropping.

Information leaking of VBR codec: Variable BitRate (VBR) codec allows the codec tochange its bit rate dynamically according to the input speech signal. Thus, the user-agentsgenerate voice packets with different sizes if they apply VBR codec. Wright et al. [61, 62]demonstrated attacks to identify the spoken language or partial conversation content ofencrypted voice packets by using the packet-length information. Moreover, the packet-length information may also enable attackers to recognize the speaker [63]. Different withthis work, we proposed attacks using another side-channel: the RTP header informationthat indicates keystroke. This side-channel may reveal a users’s identity or what the userhas typed.

Solution based on unlinkable identity: Munakata et al. [64] proposed a user-drivenprivacy mechanism by introducing Globally Routable User Agent URIs (GRUU) [65] andTraversal Using Relays around NAT (TURN) [66]. The users can obtain a SIP URI (tempGRUU) and a IP address (IP address of a TURN server) which are unlinkable to theirreal identities. The proposed mechanism in [64] enables VoIP users themselves to achieveanonymity by using unlinkable identities that are functional yet anonymous. However, thismethod does not mitigate traffic analysis as well: Intermediaries on both side of a TURNserver can still profile the mapping relationship of its relayed flows.

Protection of presence traffic: Loesing et al., [67] proposed a P2P architecture based onDistributed Hash Table (DHT) with existing anonymous overlay networks (e.g., Tor [68]) toprovide anonymity services for presence and message users. A user first configures his/herrendezvous address in an anonymous overlay network and later registers this address on aDHT. To extract the rendezvous address from DHT for communication, the user’s buddiesneed to share a common knowledge with him/her. Danezis et al., [69] proposed Drac, asystem designed to provide anonymity for instant message, presence and VoIP communi-cations. Drac employs buddies as relays to connect to untrusted contacts. The communi-cations between buddies are unobservable by applying heartbeat packets at a constant rate.However, the buddy-relationship in Drac is public. Our work is different to theirs: First,we consider a centralized presence model, rather than a P2P presence architecture; and ourgoal is to hide the buddy-relationship among users.


7 Contributions

The objective of the thesis was to improve the security and privacy of current VoIP services.The main contributions of Part I are summarized in Section 7.1, and the contribution of PartII are summarized in Section 7.2. We also summarize the limitations of our research.

7.1 Part I: Unwanted traffic in VoIP networks

We have defined several potential threats with unwanted traffic: (1) An attack can takeadvantage of the communication latency between a SIP proxy and other external infras-tructures (e.g., DNS servers, Web servers) to decrease the throughput of the proxy (PaperI). We named this type of attacks as blocking attacks and a formalized model of such block-ing attacks was given in our work. (2) Another kind of DoS attack is against web serversin VoIP networks by taking SIP proxies as reflectors. It takes advantage of the unbalancedtraffic volume between the server side and the client side. (3) The last one is the spamproblem, in which one spam can be automatically duplicated with different flow patternswhile keeping similar information. This makes SPITs hard to be detected.

We also proposed countermeasures to these threats. For the first threat, we applied acache mechanism with a priority scheme for external information processing (e.g., DNSquery). For the second threat, we modified the certificate distribution scheme defined inRFC 4474 [34]. For the third threat, we employed two local-sensitive hash algorithms tocluster spam flows. Different to common hash algorithm, the local-sensitive hash algo-rithm generates digests with a close distance for similar inputs. Our experiments show thestrength and limitations of the proposed solutions.

7.2 Part II: Information disclosure in VoIP networks

We did a comprehensive survey on anonymous VoIP communications. We surveyed someof the proposed attacks for intermediary attackers to identify the communication partnersand also reviewed the existing research done to design anonymous VoIP communicationservices. We also discussed the major open problems in anonymous VoIP communicationand possible directions for further research.

We also proposed several threats to Information disclosure. (1) We have identified andanalyzed a timing attack aiming at extracting the calling history between domains. Anattacker can send spoofed SIP requests to a victim proxy and observe the Round Trip Time(RTT) between the request and its response. With caches widely deployed, the RTTs forrecently contacted domain should be relatively lower. Thus, the calling history of a domaincan be profiled by a comparison of RTTs. We named this a SIP timing attack in Paper IV,which has not been studied before. (2) Paper VI and VIII discussed two possible methodsto profile the calling records (e.g., who called whom) from wiretapped traffic. The first

7. Contributions 21

takes advantage of starting and ending time of different conversations, while another takesadvantage of users’ keystroke patterns. (3) Paper VII proposed a threat where attackersmay profile a user’s social network by observing presence traffic. This attack is basedon the assumption that the targets of presence traffic are the user’s friends. (4) Paper IXpresents a method to guess the DTMF PIN code of VoIP users from VoIP traffic. Themethod analyzes the time intervals between each pair of keystrokes and then uses a learningalgorithm to predict the probability of a given keystroke pair.

In addition, we designed and discussed countermeasures against these threats. We ap-plied padding methods to equalize flow patterns including packet sizes, packet interarrivaltime and round trip time to hide information (Paper IV, VI, VIII and IX). We also ap-plied a VoIP “defensive dropping” method, in which some RTP packets for silence will berandomly dropped the transmission. Thus the flow patterns can be obscured to discloseinformation. Those countermeasures are also evaluated practically or theoretically.

7.3 Limitations

Although this thesis contributes an updated understanding of VoIP security and privacy, wenote that some constraints in the research.

• We have proposed countermeasure solutions for most studied threats. Those so-lutions are designed for independent threats. Whether these solutions can be wellintegrated together has not been studied. It is possible that different countermea-sure solutions interrupt each other when they are implemented in the same products.For instance, the batch solution in papers VI and VII increase the delay of signalingtransmission and thus may cause a Denial of Service. However, it is difficult to havea comprehensive defending architecture to protect VoIP services against all threats.We believe that different service providers have different priorities for their securitygoals depending on the usage. For instance, a commercial VoIP service provider maycare about the availability of their services against DoS and spam, while a militaryVoIP service provider may more concern on information disclosure.

• We generate artificial VoIP traffic to conduct our experiments instead of using thereal VoIP traffic traces. One reason is that real VoIP traffic is confidential data andwe do not want to compromise users’ privacy. Another reason is that nowadays mostVoIP service providers only deployed fundamental services (e.g., calling, messag-ing) so far. For instance, although the inter-domain authentication scheme [34] isimplemented in SER [18], it still has not been widely used. Nevertheless, our goal isto locate the threats in those proposed schemes and protocols before they are widelydeployed. Thus, lacking of real VoIP traffic traces does not impact our research goals.

• Papers II, VI and VII focuses more on threats and attacks, rather than counter-measures. We merely discussed possible countermeasure solutions in those papers.


Those solutions have obvious shortcomings. So far we have not found better waysto handle the threats. Thus in those paper our major contribution is studying theproblems.

8 Summary of Papers

This section contains short summaries of the papers included in this thesis.

Paper I – Blocking attacks on SIP VoIP proxies caused by external pro-cessing

As VoIP applications become increasingly popular, they are more and more facing securitychallenges that have not been present in the traditional PSTN. One of the reasons is thatVoIP applications rely heavily on external Internet-based infrastructures (e.g., DNS server,web server), so that vulnerabilities of these external infrastructures have an impact on thesecurity of VoIP systems as well. This article presents a Denial of Service (DoS) attack onVoIP systems by exploiting long response times of external infrastructures. This attack canlead the whole VoIP system in a blocked state thus reducing the availability of its providedsignalling services. The results of our experiments prove the feasibility of blocking attacks.Finally, we also discuss several defending methods and present an improved protectionmechanism against blocking attacks.

Paper II – SIP Proxies: New Reflectors in the Internet

To mitigate identity theft in SIP networks, an inter-domain authentication mechanism basedon certificates is proposed in RFC 4474 [34]. Unfortunately, the design of the certificatedistribution in this mechanism yields some vulnerabilities. In this paper, we investigatean attack which exploits SIP infrastructures as reflectors to bring down a web server. Ourexperiments demonstrate that the attacks can be easily mounted. Finally, we discuss somepotential methods to prevent this vulnerability.

Paper III – Detecting Near-Duplicate SPITs in Voice Mailboxes UsingHashes

Spam over Internet Telephony (SPIT) is a threat to the use of Voice of IP (VoIP) systems.One kind of SPIT can make unsolicited bulk calls to victims’ voice mailboxes and thensend them a prepared audio message. We detect this threat within a collaborative detectionframework by comparing unknown VoIP flows with known SPIT samples since the sameaudio message generates VoIP flows with the same flow patterns (e.g., the sequence of

8. Summary of Papers 23

packet sizes). In practice, however, these patterns are not exactly identical: (1) a VoIPflow may be unexpectedly altered by network impairments (e.g., delay jitter and packetloss); and (2) a sophisticated SPITer may dynamically generate each flow. For example,the SPITer employs a Text-To-Speech (TTS) synthesis engine to generate a speech audioinstead of using a pre-recorded one. Thus, we measure the similarity among flows usinglocal-sensitive hash algorithms. A close distance between the hash digest of flow x anda known SPIT suggests that flow x probably belongs the same bulk of the known SPIT.Finally, we also experimentally study the detection performance of the hash algorithms.

Paper IV – Revealing the calling history of SIP VoIP systems by timingattacks

To provide high-level security assurance to SIP VoIP services, an inter-domain authenti-cation mechanism is defined in RFC 4474. However, this mechanism introduces anothervulnerability: a timing attack which can be used for effectively revealing the calling his-tory of a group of VoIP users. The idea here is to exploit the certificate cache mechanismssupported by SIP VoIP infrastructures, in which the certificate from a caller’s domain willbe cached by the callee’s proxy to accelerate subsequent requests. Therefore, SIP process-ing time varies depending whether the two domains had been into contact beforehand ornot. The attacker can thus profile the calling history of a SIP domain by sending probingrequests and observing the time required for processing. The result of our experimentsdemonstrates that this attack can be easily launched. We also discuss countermeasures toprevent such attacks.

Paper V – Peer-to-Peer VoIP Communications Using AnonymisationOverlay Networks

Nowadays, Voice over Internet Protocol (VoIP) which enables voice conversation remotelyover packet switched networks gains much attentions for its low costs and flexible services.However, VoIP calling anonymity, particularly to withhold “who called whom”, is difficultto achieve since VoIP infrastructures are usually deployed in an open networking environ-ment (e.g., the Internet). Our work studies an anonymisation overlay network (AON) basedsolution to prevent surveillance from external attackers, who are able to wiretap the com-munication channels as well as to manipulate voice packets in the channels. However, ithas been demonstrated that the VoIP combined with traditional AONs are vulnerable totwo attacks, namely watermark attack and complementary matching attack. Taking thesetwo attacks into account, we investigate the “defensive dropping” method in VoIP: A VoIPuser-agent sends packets to an AON in a constant rate, but packets during periods of silenceare marked. Then, the AON drops some silence packets and forwards the remaining onesto their destinations. The result of our experiments shows that the dropping rate must be


carefully selected to counteract both of the two attacks. Finally, we discuss further threatsin terms of this solution.

Paper VI – Hidden VoIP Calling Records from Networking Intermedi-aries

While confidentiality of telephone conversation contents has recently received considerableattention in Internet telephony (VoIP), the protection of the caller–callee relation is largelyunexplored. From the privacy research community we learn that this relation can be pro-tected by Chaum’s mixes. In early proposals of mix networks, however, it was reasonableto assume that high latency is acceptable. While the general idea has been deployed forlow latency networks as well, important security measures had to be dropped for achievingperformance. The result is protection against a considerably weaker adversary model inexchange for usability. In this paper, we show that it is unjustified to conclude that lowlatency network applications imply weak protection. On the contrary, we argue that cur-rent Internet telephony protocols provide a range of promising preconditions for adoptinganonymity services with security properties similar to those of high latency anonymity net-works. We expect that implementing anonymity services becomes a major challenge ascustomer privacy becomes one of the most important secondary goals in any (commercial)Internet application.

Paper VII – Timing Attacks on a Centralized Presence Model

Presence information (PI) represents the updated status, context and willingness of com-munication partners in Voice over IP systems. For instance, the action that Alice switchesher status (e.g., from “idle” to “busy”) will trigger PI messages to notify her buddies thischange. In a centralized presence service system, presence communications are managedby a presence server based on users’ buddylists. The privacy concern in this paper is thatnetworking intermediaries, as adversaries, might be able to profile the buddy-relationshipamong the users by utilizing message arrival time. We found that the threat cannot be to-tally eliminated even if the server processes messages in batches. Attackers might observethe traffic in several rounds and thus profile the results. In this paper, we introduce theattacks and discuss potential countermeasures.

Paper VIII – Analyzing Key-click Patterns of PIN Input for Recogniz-ing VoIP Users

Malicious intermediaries are able to detect the availability of VoIP conversation flows ina network and observe the IP addresses used by the conversation partners. However, it isinsufficient to infer the calling records of a particular user in this way since the linkability

9. Conclusions and Outlook 25

between a user and a IP address is uncertain: users may regularly change or share IPaddresses. Unfortunately, VoIP flows may contain human-specific features. For example,users sometimes are required to provide Personal identification numbers (PINs) to a voiceserver for authentication and thus the key-click patterns of entering a PIN can be extractedfrom VoIP flows for user recognition. We invited 31 subjects to enter 4-digital PINs ona virtual keypad of a popular VoIP user-agent with mouse clicking. Employing machinelearning algorithms, we achieved average equal error rates of 10-29% for user verificationand a hitting rate up to 65% with a false positive rate around 1% for user classification.

Paper IX – Timing attacks on PIN input in VoIP networks (Short paper)

To access automated voice services, Voice over IP (VoIP) users sometimes are required toprovide their Personal Identification Numbers (PIN) for authentication. Therefore whenthey enter PINs, their user-agents generate packets for each key pressed and send them im-mediately over the networks. This paper shows that a malicious intermediary can recoverthe inter-keystroke time delay for each PIN input even if the standard encryption mecha-nism has been applied. The inter-keystroke delay can leak information of what has beentyped: Our experiments show that the average search space of a brute force attack on PINcan be reduced by around 80%.

Paper X – A survey on anonymous Voice over IP communication: At-tacks and defences

Anonymous Voice over IP (VoIP) communication is important for many users, in particu-lar, journalists, human rights workers and the military. Recent research work has shown anincreasingly interest in methods of anonymous VoIP communication. This survey starts byintroducing and identifying the major concepts and challenges in this field. Then we re-view anonymity attacks on VoIP and the existing work done to design defending strategies.Finally, we discuss possible directions for the future work in this field.

9 Conclusions and Outlook

Considering the increasing degree of VoIP deployment, we claim that it is crucial for theInternet community including venders and service providers to fully understand the poten-tial security and privacy vulnerabilities of VoIP. A deeper understanding supports designof countermeasures that can be incorporated into the protocol specifications and products.In this thesis, we listed several potential security and privacy vulnerabilities, especiallyby means of unwanted traffic and information disclosure. Moreover, we have studied thevulnerabilities and countermeasures by conducted experiments.


This final section shows overall conclusions and lessons learned. We also suggest futureresearch possibilities. Some of the main conclusions of this thesis are:

• Achieving security and privacy for VoIP is more difficult than for traditional PSTN.VoIP infrastructures are deployed in a relatively open environment (e.g., the Inter-net). It is easy for potential attackers to access these infrastructures for launchingattacks. In contrast, PSTN, a closed network using independent communication pro-tocols, requires more cost for attackers to access. Moreover, since VoIP servicesheavily rely on assistance from external servers (e.g., DNS server, web server), thecommunication between VoIP servers and these external servers can be exploited toimpact the confidentiality and availability of VoIP users. Such risks have never beenreported in PSTN since it does not employs shared infrastructures.

• Unbalanced resource consumption between client side and server side leads to DoSattacks. In a client/server SIP architecture, a SIP proxy processes and forwards SIPmessages between users. However, a message may consume little resource (e.g.,bandwidth, CPU time, etc) on client side but heavy resource on server side undersome circumstances. An attacker can thus take advantage of this fact to continuouslyattack the server side by depleting its resources.

• It is more difficult to classify voice spam than text spam. Classification of spamneeds machine learning algorithms and content recognition. Currently, the techniqueof processing text is more mature than that of processing of voice. Thus it is stillrather challenging to manage VoIP spam.

• Side-channels in VoIP traffic disclose secret information. Depending on the design,different side-channels may be present in VoIP traffic. For instance, the round triptime of a SIP message can reveal the content of local cache which can be used toguess the calling records between two SIP service domains. Also, header fields,packet sizes and packet interarrival time may disclose a user’s identity, PIN code andsocial networks. To break side-channels, these traffic patterns must be equalized ordistorted.

• Security products for VoIP should be designed taking efficiency into account. Incontrast to other services (e.g., email, web), VoIP is time-sensitive. Therefore, com-plicated and time consuming security mechanisms are not suitable to apply for VoIP.If a designer fails to consider efficiency, attackers can easily manipulate the perfor-mance of SIP services to launch a Denial of Service attack.

Current VoIP and Internet technology are still being developed. New functions, fea-tures and implementations are likely to introduce further vulnerabilities. Hence in future itwill be important to continuously conduct vulnerability assessment on the VoIP protocolsand implementations. Another interesting future step is to improve defending alternativesfor those found vulnerabilities. There are limitations on our proposed countermeasures,

REFERENCES 27

which may work better if integrated with other alternatives (defense in depth). Moreover,there is no implementation for anonymous VoIP so far, although there are some implemen-tations for low-latency anonymous communications (e.g., Tor [68], An.On [70]) which arehowever not scalable for VoIP applications. Especially, an optimization scheme to enhanceanonymity with an acceptable communication quality is a necessity. Future work alsoshould include implementation and testing of proposed defensive architectures in practice.

References

[1] U. Varshney, A. Snow, M. McGivern, and C. Howard. Voice over IP. Commun. ACM,45(1):89–96, 2002.

[2] Skype. http://www.Skype.com, visited at 11th-Oct-2011.

[3] VoIP Security Alert: Hackers Start Attacking For Cash. http://www.informationweek.com/news/188702963, visited at 16th-Jan-2012.

[4] D. Butcher, X. Li, and J. Guo. Security challenge and defense in VoIP infrastruc-tures. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applicationsand Reviews, 37(6):1152–1162, 2007.

[5] T.J. Walsh and D.R. Kuhn. Challenges in securing Voice over IP. Security & Privacy,IEEE, 3(3):44–49, 2005.

[6] S. M. Bellovin, M. Blaze, and S. Landau. The real national-security needs for VoIP.Commun. ACM, 48(11):120, 2005.

[7] D. C. Sicker and T. Lookabaugh. VoIP security: Not an afterthought. Queue, 2(6):56–64, 2004.

[8] E. A. Blake. Network security: VoIP security on data network–a guide. In InfoSecCD’07: Proceedings of the 4th annual conference on Information security curriculumdevelopment, pages 1–7, New York, NY, USA, 2007. ACM.

[9] P. Park. Voice over IP Security. Cisco Press, 2009.

[10] C. J. Dawson. http://sip-trunking.tmcnet.com/topics/sip-trunking/articles/67855-report-sip-trunking-increasing-popularity.htm, visited at 16th-Jan-2009.

[11] J. Postel. Internet Protocol (IP), 1981. RFC 791.

[12] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks,M. Handley, and E. Schooler. SIP: Session Initiation Protocol, 2002. RFC 3261.

[13] H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A transport protocolfor real-time applications, 2003. RFC 3550.


[14] The Internet Engineering Task Force (IETF). http://www.ietf.org/, visited at 16th-Feb-2012.

[15] Kphone. http://sourceforge.net/projects/kphone, visited at 16th-Feb-2009.

[16] Kcall. http://www.basyskom.de/index.pl/kcall, visited at 16th-Feb-2009.

[17] X-Lite. http://www.counterpath.net/x-lite.html, visited at 16th-Feb-2009.

[18] SIP Express Router. http://www.iptel.org, visited at 16th-Sep-2008.

[19] OpenSIPS. http://www.opensips.org/, visited at 16th-Feb-2009.

[20] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1, 1999. RFC 2616.

[21] J. B. Postel. Simple Mail Transfer Protocol (SMTP), 1982. RFC 821.

[22] T. Berners-Lee, R. Fielding, and L. Masinter. Uniform Resource Identifier (URI):Generic syntax, 2005. RFC 3986.

[23] G.711. http://www.itu.int/rec/T-REC-G.711/e, visited at 21th-Oct-2011.

[24] Spexx. http://www.speex.org/, visited at 11th-Oct-2011.

[25] R. Zopf. Real-time Transport Protocol (RTP) Payload for Comfort Noise (CN), 2002.RFC 3389.

[26] Recommendation G.114 - One-way Transmission Time. http://www.itu.int/itudoc/itu-t/aap/sg12aap/history/g.114/index.html, visited at 21th-Oct-2011.

[27] M. Bishop. Introduction to computer security. Addison-Wesley, 2005.

[28] S. D. Warren and L. D. Brandeis. The Right to Privacy. Harvard Law Review, 4(5),1890.

[29] A. Westin. Privacy and Freedom. Atheneum, 1968.

[30] Wireshark. http://www.wireshark.org/, visited at 16th-Feb-2009.

[31] R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing attacks on SIP-based VoIP sys-tems. In WOOT ’07: Proceedings of the first USENIX workshop on Offensive Tech-nologies, pages 1–8, Berkeley, CA, USA, 2007. USENIX Association.

[32] D. Sisalem, J. Kuthan, and S. Ehlert. Denial of service attacks targeting a SIP VoIP in-frastructure: attack scenarios and prevention mechanisms. IEEE Network, 20(5):26–31, 2006.

REFERENCES 29

[33] J. Arkko, V. Torvinen, G. Camarillo, A. Niemi, and T. Haukka. Security mechanismagreement for the Session Initiation Protocol (SIP), 2003. RFC 3329.

[34] J. Peterson and C. Jennings. Enhancements for authenticated identity management inthe Session Initiation Protocol (SIP), 2006. RFC 4474.

[35] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, andL. Stewart. HTTP authentication: Basic and digest access authentication, 1999. RFC2616.

[36] B. Ramsdell. Secure/Multipurpose Internet Mail Extensions (S/MIME) version 3.1message specification, 2004. RFC 3851.

[37] T. Berners-Lee, L. Masinter, and M. McCahill. Uniform Resource Locators (URL),1994. RFC 1738.

[38] J. Rosenberg and C. Jennings. The Session Initiation Protocol (SIP) and Spam, 2008.RFC 5039.

[39] M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman. The SecureReal-time Transport Protocol (SRTP), 2004. RFC 3711.

[40] P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement forUnicast Secure RTP, 2011. RFC 6189.

[41] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol version 1.2,2008. RFC 5246.

[42] S. Kent and R. Atkinson. Security architecture for the Internet Protocol, 1998. RFC1825.

[43] C. Robson. Real world research. Blackwell Publishing, 2002.

[44] R. Jain. The art of computer systems performance analysis: Techniques for experi-mental design, measurement, simulation, and modeling. Wiley- Interscience, 1991.

[45] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia. Fast detection of denial of serviceattacks on IP telephone. In 14th IEEE International Workshop on Quality of Service,New Haven, USA, June 2006. IEEE.

[46] E. Y. Chen. Detecting DoS attacks on SIP system. In 1st IEEE Workshop on VoIPManagement and Security, Vancouver, Canada, April 2006. IEEE.

[47] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia. VoIP intrusion detection throughInteracting protocol state machines. In DSN ’06: the International Conference onDependable Systems and Networks, pages 393–402, Washington, USA, June 2006.IEEE Computer Society.


[48] S. Ehlert, C. Wang, T. Magedanz, and D. Sisalem. Specification-based denial-of-service detection for SIP Voice-over-IP networks. In 3rd International Conference onInternet Monitoring and Protection, Bucharest, Hungary, July 2008. IEEE.

[49] N. Vrakas D. Geneiatakis and C. Lamrinoudakis. Utilizing Bloom Filters for Detect-ing Flooding Attacks against SIP Based Services. Computer and Security, 28(7):578–591, 2009.

[50] W. Conner and K. Nahrstedt. Protecting SIP proxy servers from ringing-based denial-of-service attacks. In the Tenth IEEE International Symposium on Multimedia (ISM),Berkeley, USA, December 2008. IEEE.

[51] S. Ehlert, D. Geneiatakis, and T. Magendaz. Survey of Network Security Systemsto Counter SIP-based Denial-of-Service Attacks. Computer and Security, 29(2):225–243, 2010.

[52] D. Shin, J. Ahn, and C. Shim. Progressive multi gray-leveling: a voice spam protec-tion algorithm. IEEE networks, 20(5):18 – 24, 2006.

[53] V. A. Balasubramaniyan, M. Ahamad, and H. Park. Callrank: Using call duration,social networks and pagerank to combat SPIT. In Proceedings of CEAS ’07. ACM.

[54] R. Zhang and A. Gurtov. Collaborative reputation-based voice spam filtering. InProceedings of DEXA workshop ’09. IEEE Computer Society.

[55] A. Markkola and J. Lindqvist. Accessible voice CAPTCHAs for internet telephony.In Proceedings of SOAPS ’08. ACM.

[56] J. Quittek, S. Niccolini, S. Tartarelli, M. Stiemerling, M. Brunner, and T. Ewald.Detecting SPIT calls by checking human communication patterns. In Proceedings ofICC ’07. IEEE Communication Society.

[57] J. Peterson. A Privacy Mechanism for the Session Initiation Protocol (SIP), 2002.RFC 3323.

[58] G. Karopoulos, G. Kambourakis, S. Gritzalis, and E. Konstantinou. A framework foridentity privacy in SIP. Journal of Network and Computer Applications, 33:16–28,January 2010.

[59] X. Wang, S. Chen, and S. Jajodia. Tracking anonymous peer-to-peer VoIP calls onthe Internet. In CCS ’05: Proceedings of the 12th ACM conference on Computer andcommunications security, pages 81–91, New York, NY, USA, 2005. ACM.

[60] O. Verscheure, M. Vlachos, A. Anagnostopoulos, P. Frossard, E. Bouillet, and P. S.Yu. Finding ”who is talking to whom” in VoIP networks via progressive stream clus-tering. In ICDM ’06: Proceedings of the 6th International Conference on Data Min-ing, pages 667–677, Washington, DC, USA, 2006. IEEE Computer Society.

REFERENCES 31

[61] C. V. Wright, L. Ballard, F. Monrose, and G. M. Masson. Language identification ofencrypted VoIP traffic: Alejandra y roberto or alice and bob? In SS’07: Proceedingsof 16th USENIX Security Symposium on USENIX Security Symposium, pages 1–12,Berkeley, CA, USA, 2007. USENIX Association.

[62] C. V. Wright, L. Ballard, S. E. Coull, F. Monrose, and G. M. Masson. Spot me ifyou can: Uncovering spoken phrases in encrypted VoIP conversations. In SP ’08:Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 35–49,Washington, DC, USA, 2008. IEEE Computer Society.

[63] L.A. Khan, M.S. Baig, and A. M. Youssef. Speaker Recognition from Encrypted VoIPCommunications. Digital Investigation, 7(1-2):65 – 73, 2010.

[64] M. Munakata, S. Schubert, and T. Ohba. User-agent-driven privacy mechanism forSIP, 2010. RFC 5767.

[65] J. Rosenberg. Obtaining and using globally routable user agent uris (GRUUs) in thesession initiation protocol (SIP), 2009. RFC 5627.

[66] R. Mahy, P. Matthews, and J. Rosenberg. Traversal using relays around NAT (TURN):Relay extensions to session traversal utilities for NAT (STUN), 2010. RFC 5766.

[67] K. Loesing, M. Dorsch, M. Grote, K. Hildebrandt, M. Roglinger, M. Sehr, C. Wilms,and G. Wirtz. Privacy-aware presence management in instant message systems.In Proceedings of the 20th Parallel and Distributed Processing Symposium, 2006.(IPDPS ’06). IEEE, 2006.

[68] R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onionrouter. In SSYM’04: Proceedings of the 13th conference on USENIX Security Sympo-sium, pages 21–21, Berkeley, CA, USA, 2004. USENIX Association.

[69] G. Danezis, C. Diaz, C. Troncoso, and B. Laurie. Drac: An architecture for anony-mous low-volume communications. In PETS ’10: Proceedings of the 10th Pri-vacy Enhancing Technologies Symposium, pages 202–219, Berlin, Heidelberg, 2010.Springer-Verlag.

[70] An.On. http://anon.inf.tu-dresden.de/index en.html, visited at 10th-May-2011.

unwanted traffic and information disclosure in voip...

Documents